Beginner14 min readMay 31, 2026Infrastructure

Cloudflare Tunnel: The Definitive Setup Guide

Learn how to deploy Cloudflare Tunnel on your self-hosted server. Step-by-step guide covering connector setup, routing configuration, access policies, and production hardening. No open ports required.

CLOUDFLARE TUNNEL

The Architecture Behind Zero Open Ports

Cloudflare Tunnel — formerly known as Argo Tunnel — is the cornerstone technology behind a zero-exposure self-hosted architecture. Instead of opening ports on your router and hoping your firewall rules are correct, the tunnel inverts the connection model entirely.

A lightweight daemon called cloudflared runs inside your network and establishes an outbound-only, encrypted connection to Cloudflare's global edge. When a visitor requests one of your services, Cloudflare routes that request through the tunnel to your origin — without a single inbound port being open.

This guide walks you through deploying Cloudflare Tunnel in a production Docker environment, configuring routing rules for multiple services, and hardening the setup against common misconfigurations.

How Cloudflare Tunnel Routes Traffic

Every request follows the same path — from the public internet through Cloudflare's edge, down the encrypted tunnel, through your reverse proxy, and finally to the target service.

Visitor Browser

→

Cloudflare Edge (200+ PoPs)

→

cloudflared Connector

→

Reverse Proxy

→

Target Service

Request lifecycle through Cloudflare Tunnel — the origin never receives unsolicited connections

Outbound-Only

The cloudflared connector initiates all connections outward. Your firewall never needs an inbound rule for web traffic.

Anycast Routing

Traffic enters the nearest Cloudflare PoP globally, reducing latency and absorbing volumetric attacks before they reach origin.

Automatic TLS

Cloudflare manages certificate issuance and renewal for all tunneled services. No Certbot, no manual renewals.

Multi-Service Support

A single tunnel connector can route traffic to dozens of services based on hostname or path rules.

Cloudflare Tunnel by the Numbers

What you gain architecturally by replacing port forwarding with a tunnel-based ingress model.

Create a Cloudflare account and add your domain. Cloudflare must be the authoritative DNS for your domain for the tunnel to function.

Install the cloudflared connector on your server. The connector runs as a Docker container alongside your other services.

Authenticate cloudflared with your Cloudflare account and create a named tunnel. A credentials file is generated and stored locally.

Define your ingress rules in a tunnel configuration file. Each rule maps a hostname to an internal service URL.

Start the connector and verify DNS records are automatically created in your Cloudflare dashboard.

Inbound Ports Required0

Edge 300+

Services per TunnelUnlimited

Certificate ManagementAutomatic

DEPLOYMENT

Production Deployment with Docker Compose

Connector Configuration

The cloudflared connector is best deployed as a Docker container defined in your existing Compose stack. It shares a network with your reverse proxy and routes tunnel traffic directly to internal service hostnames — no external DNS resolution required. Zero-Exposure Infrastructure guide

The connector requires a credentials file obtained during the tunnel creation process. This file should be stored outside your repository and mounted as a read-only volume into the container. Never commit tunnel credentials to version control.

Ingress Rule Design

Ingress rules define how the tunnel maps incoming hostnames to internal services. Each rule specifies a hostname and a service URL — the service URL uses Docker's internal DNS, meaning you reference containers by their service name rather than an IP address.

Rules are evaluated top to bottom. A catch-all rule at the bottom of the ingress list ensures that unmatched requests receive a defined response rather than an error from the tunnel itself.

Network Isolation

The cloudflared container should be placed on the same Docker network as your reverse proxy, but not on application-specific networks. This ensures the connector can reach the proxy while remaining isolated from individual services — maintaining the principle that only the proxy bridges external and internal traffic.

REMOTE ACCESS

Protect Your Admin Sessions

A zero-exposure architecture secures your server. A VPN secures you — encrypting your connection when managing infrastructure from untrusted networks, coffee shops, or travel. NordVPN is what we use for this layer.

Try NordVPN

This is an affiliate link. If you purchase, I earn a commission at no extra cost to you.

Hardening Your Tunnel Configuration

A default Cloudflare Tunnel installation is already more secure than port forwarding. These hardening measures close the remaining gaps and reduce your attack surface further.

Layer 01 — Edge

Bot & Threat Control↓ passes to next layer

Layer 02 — Tunnel

Connector Hardening↓ passes to next layer

Layer 03 — Ingress

Route Isolation↓ passes to next layer

Layer 04 — DNS

Cloudflare DNS Hardening

EdgeBot & Threat Control

Enable Bot Fight Mode on your Cloudflare zone • Block AI training crawlers via WAF rules • Enable Hotlink Protection for media assets • Configure rate limiting rules per service path

TunnelConnector Hardening

Run cloudflared as a non-root user inside the container • Mount credentials file as read-only volume • Set no-autoupdate: true in production — control updates explicitly • Use --loglevel warn in production to reduce log noise

IngressRoute Isolation

Scope each hostname to the minimum required internal service • Use noTLSVerify: false — always verify internal TLS where possible • Define explicit catch-all rules that return 404, not tunnel errors • Separate public and admin-facing routes into distinct hostnames

DNSCloudflare DNS Hardening

Enable DNSSEC on your Cloudflare zone • Use Cloudflare's 1.1.1.1 resolver for internal clients • Enable minimum TTL on tunnel DNS records — changes propagate faster • Proxy all DNS records through Cloudflare — never expose origin IPs

Cloudflare Tunnel routes traffic through Cloudflare's network, which means Cloudflare can inspect unencrypted traffic between their edge and your origin. For sensitive services, consider end-to-end encryption using internal TLS between the tunnel and your services, or evaluate whether Cloudflare's data handling policies are appropriate for your use case.

Common Tunnel Configurations

Real-world ingress patterns for self-hosted environments. Each pattern solves a specific routing challenge.

Single Service, Single Hostname

The simplest pattern. One hostname maps directly to one internal service. Ideal for public-facing tools with no admin interface.

Multi-Service with Subdomains

Each subdomain routes to a different internal service through the same tunnel. A single connector handles all routing via hostname matching.

Path-Based Routing

Multiple services share a single hostname, differentiated by URL path. Useful when you need to keep all services under one domain.

Admin Interface Isolation

Public and admin interfaces run on separate hostnames with different Cloudflare Access policies. Admins authenticate; public traffic does not.

Cloudflare Tunnel Production Checklist

Before going live, verify each item against your deployment. Every unchecked item represents a configuration gap.

✓Tunnel credentials file stored outside version control and mounted read-only

✓cloudflared container running as non-root user

✓All public DNS records proxied through Cloudflare — no orange-to-grey DNS leaks

✓DNSSEC enabled on your Cloudflare zone

✓Bot Fight Mode enabled on all public-facing zones

✓Rate limiting rules configured for login endpoints and API routes

✓Catch-all ingress rule defined — returns 404, not a tunnel error

✓Connector placed on proxy network only — not on application-specific networks

✓Tunnel name and ID documented in your infrastructure runbook

✓Cloudflare Access policy configured for any admin-facing hostname

Intermediate14 min